CVE-2025-52520 – org.apache.tomcat:tomcat-catalina

Package

Manager: maven
Name: org.apache.tomcat:tomcat-catalina
Vulnerable Version: >=11.0.0-m1 <11.0.9 || >=10.1.0-m1 <10.1.43 || >=9.0.0.m1 <9.0.107 || >=8.5.0 <=8.5.100

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U

EPSS: 0.00217 pctl0.44231

Details

Apache Tomcat Catalina is vulnerable to DoS attack through bypassing of size limits For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

Metadata

Created: 2025-07-10T21:31:52Z
Modified: 2025-08-08T19:05:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-wr62-c79q-cv37/GHSA-wr62-c79q-cv37.json
CWE IDs: ["CWE-190"]
Alternative ID: GHSA-wr62-c79q-cv37
Finding: F111
Auto approve: 1